Automated mechanism to obtain detailed forensic analysis of file access

ABSTRACT

Systems, methods, and computer program products to perform an operation comprising monitoring a set of file access requests to a file from a first application to obtain a set of call information based on runtime stack information related to calls of the first application requesting access to the file, storing the set of call information in a data file, receiving a request for access to the file from a second application, obtaining call information from a runtime stack from the second application, comparing the call information with the set of call information, determining the request for access is an abnormal request based on the comparing, and taking an action based on the determination.

BACKGROUND

The present disclosure relates to an automated mechanism to obtain detailed forensic analysis of file access, and more specifically, to automatically obtaining detailed information related to file accesses to determine file access patterns and detect abnormal file access patterns.

Generally people and organizations rely on multiple software applications. Each user generally has a set of permissions which specifies what files or data the user may be able to access. These permissions may be file specific, allowing the user to access each file in a certain way, such as read only, read and write, or otherwise access the file. Often, a set of permissions are configured per user for sets of files, for example at a directory level. In such cases, a user may have a certain level of access to one set of files in a particular directory, such as their personal directory, and another level of access to another directory, such as a network share.

Users typically use multiple applications, which may be stored in a common storage partition. These applications may be configured, for example either by automatically during setup or by an administrator, with generous permissions levels, creating a security risk. Generally there is very little or no detailed knowledge by application administrators of how users may access specific files. Rather, administrators generally configure permissions by, for example, directory levels, or broadly for sets of users. However, configuring permissions using broad settings can present an unnecessary security risk as excessive permissions may allow for an attacker to more easily access and exfiltrate data. What is needed is a mechanism by which to automatically determine typical file access patterns and detect abnormal file access attempts.

SUMMARY

According to one embodiment of the present disclosure, a method for auditing file access. Generally, the method comprises monitoring a set of file access requests to a file from a first application to obtain a set of call information based on runtime stack information related to calls of the first application requesting access to the file, storing the set of call information in a data file, receiving a request for access to the file from a second application, obtaining call information from a runtime stack from the second application, comparing the call information with the set of call information, determining the request for access is an abnormal request based on the comparing, and taking an action based on the determination.

According to another embodiment of the present disclosure, a system for auditing file access. Generally, the system comprises a processor and a memory including a program which when executed by the processor, performs an operation comprising monitoring a set of file access requests to a file from a first application to obtain a set of call information based on runtime stack information related to calls of the first application requesting access to the file, storing the set of call information in a data file, receiving a request for access to the file from a second application, obtaining call information from a runtime stack from the second application, comparing the call information with the set of call information, determining the request for access is an abnormal request based on the comparing, and taking an action based on the determination.

According to another embodiment of the present disclosure, a computer program product comprising a computer-readable storage medium having computer-readable program code embodied therewith, the computer-readable program code executable by one or more computer processors for auditing file access. The computer readable program code generally comprises code for monitoring a set of file access requests to a file from a first application to obtain a set of call information based on runtime stack information related to calls of the first application requesting access to the file, storing the set of call information in a data file, receiving a request for access to the file from a second application, obtaining call information from a runtime stack from the second application, comparing the call information with the set of call information, determining the request for access is an abnormal request based on the comparing, and taking an action based on the determination.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

FIG. 1 illustrates an example computing environment, in accordance with aspects of the present disclosure.

FIG. 2 illustrates a computing environment configured to enable an automated mechanism to secure customer data, according to aspects of the present disclosure.

FIG. 3 is a diagram illustrating an example operating system according to aspects of the present disclosure.

FIG. 4 is a chart view of the file permissions check log, in accordance with aspects of the present disclosure.

FIG. 5 is a flow chart illustrating a method for collecting authority information, in accordance with aspects of the present disclosure.

FIG. 6 is a flow chart illustrating a method for securing data, in accordance with aspects of the present disclosure.

FIG. 7 is a flow chart illustrating a method for forensic analysis of a file request, in accordance with aspects of the present disclosure.

FIG. 8 depicts a cloud computing node according to one embodiment.

FIG. 9 depicts a cloud computing environment according to one embodiment.

FIG. 10 depicts abstraction model layers according to one embodiment.

DETAILED DESCRIPTION

Embodiments disclosed herein are directed to an automated mechanism to obtain detailed forensic analysis of file access. Generally, applications and users access files in a predictable manner. The manner in which applications and users access files may be monitored over a period of time to determine a pattern of access. For example, a user may access a file, such as a manual, for reference using a particular application. The file may be opened by the application for read-only access without changing the file. In a second example, a user may use an application to access another file for read/write and make edits to the file. In both cases, detailed information on the function calls made by the application in issuing a request for access to each file may be captured in order to determine a pattern for how each file is typically accessed. After the pattern is determined, future file access requests may then be compared to the pattern of access in order to detect and prevent abnormal file access requests. For example, where the application is used to request read/write access for the file typically opened for read only, the access request may be determined to be abnormal and an appropriate action may be taken. For the second example, where another application or a compromised version of the application is used to request read/write access to the file, the function calls placed by the other application or compromised version of the application may be obtained and compared to the pattern in determining that the request is abnormal.

FIG. 1 illustrates an example computing environment, in accordance with aspects of the present disclosure. As illustrated in FIG. 1, multiple applications 104 may execute on a computer 102. These applications may run in an operating system 106, which may itself run in a virtual machine on a host operating system (not shown). These applications 104 may access files stored in the shared location, such as a file system 106 of the operating system 106, a database 108, or other mechanism for file storage and access.

As a part of obtaining detailed information regarding an application in issuing a request for access, detailed information about what level of permissions necessary for an application to work properly may be gathered. For example, in many operating systems, each file and directory has a set of permissions such as read, write, and execute permissions. Each file and directory is associated with a set of user-based permissions which control what permissions a particular user, or group of users, or applications have such that, for example, a particular user may have read-only permissions on one file and read/write permissions on another file.

An installed application, such as application 104A, has files not only in a dedicated directory, but may also have files in system, shared, or user directories scattered throughout a file system. The application may also install, by default, with a level of permissions higher than needed to access these files and run the application. For example, an application may be installed with read/write access to application program files, as the program files are located in a directory where the user has read/write access to, while the application only needs to read from the program files in the course of running the application. In such a case, as the user only needs read only access to the file but has read/write access, the user has excessive permissions to the file. In an enterprise setting, unnecessary security vulnerabilities may occur unless an administrator adjusts permissions.

In addition to program files, a user may access various files. Each file is associated with a set of permissions defining how users may access the file and these permissions may be derived or changed at run time. For example, a user may have read only permissions to a set of files, where file access permission levels for the files are set based on user-level, group-level, or other level of permission settings. An application, executing in the context of the user, may derive permissions from the user-level permissions and use those permissions to open a file of the set of files for read access. In another example, where the user again has read only permissions to a set of files, the application may need read/write access to a file. As the user only has read access to the file, the user does not have that authority. However, the application may be able to elevate its authority, i.e., the application may be able to assert another set of permissions other than those permission derived from the user's permissions. For example, the setuid utility in Linux, allows an application to assert the authority of the owner of the application rather than the user. By asserting the authority of an entity other than the user, the application may be able to access files that the user otherwise would not be able to access. Using this elevated authority, the application is able to open the file for read/write access even though the user does not have read/write permissions on the file.

As such, it can be very difficult for the customer or administrator to determine a minimum set of permissions needed for each file as even if the administrator can readily identify what files or directories need to have the appropriate permissions set, the administrator cannot assume that the user actually needs, for example, read/write permissions to a file as the user may be able to access the file via an application executing with elevated privileges. Where the user is able to gain read/write access to the file with the corresponding application, then the user's permissions should not be set to read/write absent a need to access the file outside of the corresponding application. Removing user privileges to files while still retaining sufficient access to the file via particular applications may result in a much more secure computing environment as if a user's account is compromised, as an attacker is still limited to actions performed through the particular application on the file. Granular information related to what applications and how applications request access to a file also enables forensic analysis of how a file is typically used such that unusual means of accessing the file may be detected and prevented.

As used herein, an “application” may refer to any executable program code, such as a job, workload, service, task, script, and the like, and may be of any suitable format, such as a binary file, executable, installer package, image, and the like.

FIG. 2 illustrates a computing environment 200 for an automated mechanism to secure customer data, according to aspects of the present disclosure. The computing environment 200 includes a computer 202. The computer 202 may also be connected to other computers (e.g. hosts) via a network 220.

The computer 202 generally includes a processor 204 which obtains instructions and data via a bus 210 from a memory 206 and/or storage 208. The computer 202 may also include one or more network interface devices 212 connected to the bus 110. The computer 202 is generally under the control of an operating system (not shown). Examples of operating systems include the IBM i operating system, UNIX operating system, the Microsoft Windows operating system, and distributions of the Linux operating system. (UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.) More generally, any operating system supporting the functions disclosed herein may be used. The processor 204 is a programmable logic device that performs instruction, logic, and mathematical processing, and may be representative of one or more CPUs. The processor may execute one or more server applications 214 in memory 206. The network interface 212 may be any type of network communications device allowing the computer 202 to communicate with other computers via the network 220. The network interface 212 may exchange messages with the network 220.

The storage 208 is representative of hard-disk drives, solid state drives, flash memory devices, optical media, and the like. Storage 208 may also include structured storage, for example a database. Generally, the storage 208 stores user data 216 and application data 218 for use by the computer 202. In addition, the memory 206 and the storage 208 may be considered to include memory physically located elsewhere; for example, on another computer coupled to the computer 202 via the bus 210 or network 220.

According to aspects of the present disclosure, the computer 202 may be one or more servers operating as a part of a server cluster. For example, computer 202 may operate as an application server and may communicate with or in conjunction with other frontend, application, backend, data repository, or other type of server.

The hosts 230 are compute nodes configured to execute one or more client applications 236. Generally, client applications 236 may be deployed in any suitable configuration. For example, client applications 236 may execute on computer 202 as a process, or within the context of a virtual machine executing on computer 202. As another example, multiple client applications 236 may execute on a single compute node, separate from computer 202. As shown, client applications 236 execute on multiple hosts 230, which are separate from computer 202. The client applications 236 may communicate, via the network 220, with the server applications 214.

FIG. 3 is a diagram illustrating an example operating system 300 according to aspects of the present disclosure. As discussed above, a computer is generally under the control of an operating system 300 which acts as an intermediary between computer hardware and provides a set of common services for software applications, including server and client applications. One of these common services often provided by modern operating systems include security services via file permissions. A software user application 304, such as a client or server application, may execute in a user space 302 of an operating system 300. The user application 304, executing in the context of a first user, may call into a system library 306, such as an application programming interface (API) or C library requesting access to one or more files. The system library 306 may then make a system call to a system call interface 312. The user application 304 may also directly make system calls to the system call interface 312. The system call interface 312, executing in kernel space 310, processes the system call.

Kernel space is a protected address space in memory in which core operating system operations, such as processing input/output (I/O) requests, managing memory, etc., are executed. Generally, kernel space is reserved for executing an operating system kernel 314, any installed kernel extensions (not shown) and device drivers 316. In contrast, user space 302 is address space in memory (separate from kernel space) used to execute applications 304, a graphical user interface (GUI), and system libraries 306. Each instance of a computer program executing in user space 302 is generally executed within its own virtual memory address space in the context of the user executing the program. Programs executing in user space 302 generally cannot access the virtual memory space of other programs without passing access requests through the kernel via the system library 306. Kernel programs executing in kernel space 310 generally have full memory access.

For example, in accessing a file, an application may invoke a system call, such as access( ) of the system library 306, passing in an indication of what type of access is sought, such as read or read/write access. The system library 306 then calls into the system call interface 312 executing in kernel space 310. The system call interface 312 may call into a file permissions check module 320 of the kernel 314 to determine whether the application has sufficient permissions to access the file. The file permissions check module 320 may base the permissions determination on, for example, the calling process' real authority based on the user authority, or the calling process' elevated authority, if available.

Generally, the kernel 314 manages access to I/O devices, including access to the file system and storage, as allowing direct application access to I/O device ports and controllers may cause system instabilities due to a misbehaving single application. As a part of managing access to the I/O device, the kernel 314 generally, determines whether to allow the application to perform file operations on the file based on the authority of the application, such as the user, group, or other authority, and the permissions on the file, and this determination may be made by the file permission check module 320 of the kernel 314. The file permissions check module 320 obtains the application's real or elevated authority and accesses file permissions information to perform functions necessary to verify that the application 304 has sufficient permissions to access the file.

The file permissions check module 320 obtains the application's real or elevated authority and accesses file permissions information to perform functions necessary to verify that the application 304 has sufficient permissions to access the file. For example, the file permissions check module 320 may interface with the file system interface 322 to access the file. The file system interface checks the file system and returns the file permissions. File permissions are stored with the file in a file system (e.g., new technology file system (NTFS), extended file system (ext, ext2-ext4), library based file system, database based file systems). For example, Unix style file permissions may be stored as 9 bits of information along with the file indicating which three actions (read, write, and execute) may be performed by which three groups (user, group, other). The file permissions check module 320 interprets these information bits to determine permissions to the file. Additionally, the file system may support access control lists (ACL) which may support assigning actions to more than one user or group for each file. ACLs are also stored in the file system.

Generally, permissions for a file are checked whenever there is an action performed on the file. For example, if a file is opened for reading, the file permission check module 320 performs a check to verify the user has read permissions on the file. Where the user then performs an edit on the file the application may then open the file for read/write. If the file is then re-opened for read/write, even during the same application instance, the file permission check module 320 performs another check on the file permissions. Another permissions check may be performed when the file is actually being written tom such as during a save.

In checking the permissions on a file, the file permissions check module 320 obtains file permissions information. This information may be passed along to an authority collection module 324 invoked by, or contained within, the file permissions check module 320. This information may pertain to, for example, details of the permissions available to the user, along with permissions available to any groups or ACLs associated with the user, permissions obtained from an executable asserting elevated privileges, permissions required by the file, time information, system object information, whether an authority check is successful, and other such information useful for checking whether a user has sufficient permissions to access a file. As the authority collection module 324 may collect information related to each permissions check, the authority collection module may determine the permissions requested by an application, along with the permissions actually used by the application. The authority collections module 324 may be able to obtain an application's runtime stack, which may detail each active subroutine of a program as well as calls by the program to other programs and interfaces, such as API or system calls. This runtime stack information may be useful for determining information leading up to the file permissions check, including, but not limited to, whether an application or any other programs or interfaces called by the program invoked elevated authority, as well as providing information on how an application typically places requests for file access, elevated authority, or other processes which may result in a file permissions check.

The authority collection module 324 may be configured, for example via a command line command or a graphical user interface, to obtain and log information related to a file permissions check. This logging may be configurable. For example, the authority collection module 324 may be configured to log every request for a file permissions check as well as the results of the check for a particular user. In addition, other configurations may be supported, such as for multiple users, specific types of files, or based on specific file permissions sought. The logged information may be stored in a file of the file system, for example, as a data file or database file. Logging, via the authority collection module 324 may be performed over a period of time, observing the files access by users in the ordinary course of activities on the computer. This logged file may be accessible, like other files, by an administrator or user to view and analyze using other tools, such as a database view tool. After the logged file access and permissions information is collected by the authority collection module 324, the information may be analyzed by an authority adjustment module 326. After the period of time, which may be a predetermined or administratively configured, the logs produced by the authority collection module 324 may be analyzed to determine appropriate file permissions for monitored files by an authority adjustment module 326. The authority adjustment module may also adjust file permissions based on this analysis.

In some systems, a protected microcode space 330 may be provided, which may be physically separate from hardware used to store and execute the user and kernel spaces. For example, the microcode space 330 may execute on a service processor or processor subsystem that interfaces with and manages another processor or other portions of a processor. The microcode space 330 provides a protected memory and execution space separate from both the user space 302 and kernel space 310 which kernel programs may call into while performing certain functions. The file permissions check module 330 may call into, for example, a security module 332 executing in the microcode space 330 to gather the file permissions information. Generally, authority collection of the file permissions may be performed in the same context in which file permissions are obtained. Where file permissions information is obtained in microcode, authority collection and authority adjustment may be performed, at least in part, in microcode space 330. For example, interfaces for beginning and ending authority collection and logging may be implemented in the OS kernel or user space, while data collection itself may be performed in microcode space.

According to aspects of the present disclosure, operating system architecture and how an authority collection process is implemented influences the amount and type of information available for collection as file permission information may be treated as privileged information by an operating system. For example, an operating system may partition execution of programs executing in user space such that they cannot access information related to other programs, such as a request for a file, without cooperation between multiple programs. Where such cooperation is not available, such as between legacy or third party programs, requests for access to or from another program may be passed along to the OS itself. However, some OS's may not support user space programs obtaining information related to file access by another program without a certain level of corporation between the programs. File permissions information available to applications executing solely in user space thus may be much less detailed than can be obtained where the authority collection is integrated to some degree in the OS kernel.

The authority collection process may also be implemented, at least in part, within the context of the OS kernel. For example, debugging functionality built into the OS kernel may be utilized. However, utilizing built-in debugging functionality of an OS using an authority collection application executing in user space may introduce authority elevation issues and impact user permissions as well as limit the flexibility or data obtainable by the application based on the features of the existing debugging functionality. In another example, the authority collection process may be integrated with the OS and execute in kernel space allowing the authority collection process to access memory and applications utilized in the user space, for example to access an application's runtime stack, which may be a stack data structure that contains information related the active subroutines (e.g., calls) of a program for returning control from a first subroutine higher on the runtime stack to a second subroutine lower on the runtime stack after the first subroutine has finished executing.

According to aspects of the present disclosure, an automated mechanism to secure data may be implemented as an OS kernel and microcode based process which secures data by first collecting information related to how a file is used and permissions information related to the file. This information may then be analyzed to determine the minimal level of permissions necessary to utilize the file and then permissions to files may be adjusted based on the analysis. Permissions information may be collected, for example, by an authority collection module executing within the context of a file permissions check module for each file access request. Permission information collection may be performed over a period of time to monitor how applications access files and is used to obtain an understanding of how the files are used by a particular user.

FIG. 4 is a chart view of the file permissions check log 400, in accordance with aspects of the present disclosure. As shown, the file permissions check log 400, depicts a portion of information that may be collected and logged by the authority collection module 324 of FIG. 3 based on a request for access to several files and objects. The view is based on database query on the log and contains information related to multiple files and objects. Information related to a specific file may be identified and displayed by other database queries. Here, the file permissions check log includes columns of information pertaining user authority 402, timestamp of each file permissions check 404, system object placing the call 406, required privilege to access the file based on the request 408, current privileges 412, along with a more detailed view of the required authority 410, source of the authentication information 414, whether elevated authority is used 416, most recent program invoking the system call 418, representing the start of forensic program information from the runtime stack, most recent user program statement number 420 associated with the system call, name of a program invoking elevated authority 422, program with elevated privileges statement number associated with the system call 424, and the owner of the program having elevated privileges 426. As discussed above, information in the file permissions check log may be information obtained during a file permission check performed by the file permission check module 320, classifying and logging the information obtained. The file permissions check module 320 may also obtain information from a runtime stack when a file permission check is requested. The runtime stack, may contain information related to the active subroutines of the application, including names of any additional applications called, names of calling and called subroutines, statement numbers of calling and called subroutines, order in which applications are called, whether a particular called application invoked elevated authority, and other runtime execution environment information related to the application, similar to information that may be available to a debugging development environment. The authority collection module may parse the runtime stack, classifying and logging the information in the stack.

FIG. 5 is a flow chart illustrating a method 500 for collecting authority information, in accordance with aspects of the present disclosure. As shown, the method begins at step 502 when an application requests access to a file. In response, the authority collection module, via the file permissions check module, receives an indication of the identity of the file, the location of the file, the type of access requested (e.g., read/write/execute) along with user level identity information, such the process user and groups to which the process user is a member of. This user level identity information along with permissions associated with the identity may be gathered by the authority collection module at 504 for a particular file and file location. The file permissions check module may also obtain permissions information related to the file, such as the authority required by the system to access the file, users and groups current authority to the file, and ACL lists for the file. This file and group permissions information may be gathered by the authority collection module at 506 for a particular file and file location.

At 508, the authority collection module retrieves a runtime stack of the application requesting access to the file as well as information related to the runtime execution environment, such as job names, IDs, etc. Retrieving the runtime stack enables access to detailed information related the execution environment as well as information related to the application requesting access to the file. For example, the runtime stack may contain detailed information related to the runtime execution environment, such as information related to active calls made by the application, including names of any additional applications called, names of calling and called subroutines, statement numbers of calling and called subroutines, order in which applications are called, whether a particular called application invoked elevated authority, thread information, job information, and other runtime execution environment information related to the application. At 510, the authority collection module parses the runtime stack, identifying, for example, programs on the runtime stack, program statement numbers used invoked at each level of the runtime stack, system object call, job and thread information for the runtime environment. The parsing may, for example, be performed by looking at variable information passed into the system call, along with information related to returning to the subroutine when processing a particular call is finished, as well as environment information from a runtime context for the call. The authority collection module may

The authority collection module may also determine whether elevated privileges were asserted and if so, what privileges those elevated privileges comprise. This determination may be based on, for example, the runtime stack, or by monitoring for privilege elevation requests. For example, the runtime stack may contain runtime execution environment information indicating what authority a particular application is invoking when the particular application makes a call to another application, a system call, or for each call. The authority collection module may gather identification information related to the executable asserting elevated privileges, including name and location of the executable, module, procedure name, and statement number within the executable requesting access to the file, and an indication as to whether the elevated privileges are used to access the file.

At 512, the gathered and parsed information is logged to an authority collection data file or OS control block for each file access request. This logging may be, for example, to a data file or to a database file.

FIG. 6 is a flow chart illustrating a method 600 for securing data, in accordance with aspects of the present disclosure. After file permission information is collected, file permissions may be adjusted on a file by file basis to better align user authority to access a file with available authority required to access the file. Permissions for each file accessed by a particular application and logged during authority collection may be analyzed for adjustment. The authority adjustment module, for example, may determine a user has more privileges than required to access a particular file by comparing the required privileges and the current privileges to see if the current privileges exceed the required privileges. As another example, the authority adjustment module may determine where privileges are elevated by an application, but not used. For example, a user running an application may have read/write privileges to a file in their user profile. The application also obtains elevated privileges for read/write access to the file. However, in accessing the file, the authority of the user is sufficient and there is no need to utilize the elevated privileges. As the user has read/write access to the file directly, the user is able to access the file for read/write both within the context of the application and also outside of the context of the application, such as via the command line, structure query language (SQL), file transfer protocol, or other interface.

At 602, information logged in the authority collection data file may be sorted and analyzed for every file accessed by the application, for applications in the log. At 604, based on the information logged, the authority used to access the file, as shown in column 402 of FIG. 4, is determined along with the source of the authority, for example, whether the authority is derived from the user authority, group authority, or particular ACL lists, as shown in column 414. At 606 the set of privileges required by the application to access the file as shown in columns 408 and 410, based on the requests actually made on the file, is determined. For example, where a file is opened first for read-only and then accessed again for read/write, the highest level of authority required to access the file is read/write access. At 608, a determination is made as to whether the application has elevated authority available to the application when accessing the file, for example based on column 422 or another column indicating an authority source.

Where authority elevation is not available to the application the privileges available to access the file are checked against the privileges required to access the file at 610. Where the privileges are equal, processing of the file ends and the next file is processed at 602. Where the privileges available to access the file exceeds privileges required to access the file as requested by the application, the user authority on the file is adjusted to reduce the privileges to the minimum privileges required to access the file at 612. For example, if the user has read/write privileges to the file, but only ever accesses the file read only, then permissions on the file may be adjusted such that the user only has read only privileges to the file. Group and ACL authority may also be adjusted, but where there are multiple users in a group or ACL, permission information may be collected and analyzed for multiple users of the group or ACLs prior to adjusting permissions on the file.

If authority elevation is available to the application, a determination is made as to whether the elevated authority is used to access the file at 614, for example, based on column 416. At 618, if the elevated authority is used to access the file, user authority to the file may be removed. Group and ACL authority may also be adjusted where permission information is collected and analyzed for multiple users of the group or ACL prior to adjusting permissions on the file. As the application is utilizing elevated authority to access the file already, user authority to the file may be safely removed while still permitting the user to access the file in the context of the application, but unable to access the file outside of the application. If elevated authority is available, but not used to access the file, the privileges of the elevated authority is checked against the privileges required to access the file as requested by the application at 616. If the privileges of the elevated authority are insufficient to access the file, then processing of the file ends and the next file is processed at 602. If the privileges of the elevated authority are sufficient to access the file, then user authority to the file may be removed at 618. Group and ACL authority may be adjusted in a manner similar to that described above.

FIG. 7 is a flow chart illustrating a method 700 for forensic analysis of a file request, in accordance with aspects of the present disclosure. Forensic analysis for a file may be performed on the file when an application requests access to the file. In collecting authority information, detailed forensic information may be captured by retrieving the runtime stack of the application. As discussed above, during permissions information collection when the application requests access to the file the runtime stack for the requesting process may be captured. The most recent user space application may be located on the runtime stack. The name and location of the application may be captured, along with information, for example, indicating the procedure, module, or statement number making the request. This information may be stored and used to build an index or map of how a file is normally accessed by a user via various applications, for example, associating calls to certain system objects with specific program statement numbers, module names, and invoking program. Once this index is built, additional requests for the file may be monitored and compared against the index to detect abnormal behavior in how the file is accessed. At 702, the authority collection data file may be retrieved.

At 704, an index of how the file is access may be built based on the retrieved authority collection data file. For example, the index may contain an entry for each file accessed. Associated with each file may be the application and runtime stack information of the calls made by the application in requesting file access, along with the authority information. For example, a first user may typically access a file using a first set of applications, such as PROGRAM1 and PROGRAM2 from column 418 via statements 12 and 11, and requiring use privileges, respectively. The index may contain entries for the file indicating the above information. At 706, an access request for the file is received. For example, an application may make a system call that requires a request access to a file. When the request to access the file is received by the file permissions check module, the authority collection module may be invoked and a runtime stack of the application captured. This runtime stack is parsed to extract runtime environment information, and more specifically, runtime environment information related to the state of the application leading up to the system call, such as specific program statement numbers, module names, and invoking programs. This information is then compared to the existing index at 708 determine whether the access request is similar to any entries in the index. For example, where the user attempts to access the file using another application such as PROGRAM3, the authority collection module may determine the request to be abnormal based on a comparison of the request and entries in the index. In another example, where the user attempts to access the file using an application, such as PROGRAM1 that is in the index, but via a statement number different from ones in the index, the request may also be determined to be abnormal. At 710, where the request corresponds to an entry in the index, the file access request is allowed and proceeds normally.

When a request is determined to be abnormal, at 712, a response to the abnormal behavior is triggered. Multiple responses may be triggered and the exact response may be administratively configured by a user. For example, the file access request may be logged for later display to an administrator, the file access request denied even though sufficient authority is available, or an alert may be raised. The specific response may be based on how similar the file access request is as compared to the index. Returning to the previous example, where the file access request is from an application in the index, such as PROGRAM1, but via a different statement number, the file access request may be logged, whereas a file access request received from PROGRAM3, which has no corresponding entry in the index, may be blocked.

It is understood in advance that although this disclosure includes a detailed description on cloud computing, implementation of the teachings recited herein are not limited to a cloud computing environment. Rather, embodiments of the present invention are capable of being implemented in conjunction with any other type of computing environment now known or later developed.

For convenience, the Detailed Description includes the following definitions which have been derived from the “Draft NIST Working Definition of Cloud Computing” by Peter Mell and Tim Grance, dated Oct. 7, 2009, which is cited in an IDS filed herewith, and a copy of which is attached thereto.

Cloud computing is a model of service delivery for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, network bandwidth, servers, processing, memory, storage, applications, virtual machines, and services) that can be rapidly provisioned and released with minimal management effort or interaction with a provider of the service. This cloud model may include at least five characteristics, at least three service models, and at least four deployment models.

Characteristics are as follows:

On-demand self-service: a cloud consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with the service's provider.

Broad network access: capabilities are available over a network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Resource pooling: the provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to demand. There is a sense of location independence in that the consumer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter).

Rapid elasticity: capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.

Measured service: cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.

Service Models are as follows:

Software as a Service (SaaS): the capability provided to the consumer is to use the provider's applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based e-mail). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Platform as a Service (PaaS): the capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including networks, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.

Infrastructure as a Service (IaaS): the capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).

Deployment Models are as follows:

Private cloud: the cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on-premises or off-premises.

Community cloud: the cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on-premises or off-premises.

Public cloud: the cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.

Hybrid cloud: the cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

A cloud computing environment is service oriented with a focus on statelessness, low coupling, modularity, and semantic interoperability. At the heart of cloud computing is an infrastructure comprising a network of interconnected nodes.

Referring now to FIG. 8, a schematic of an example of a cloud computing node is shown. Cloud computing node 10 is only one example of a suitable cloud computing node and is not intended to suggest any limitation as to the scope of use or functionality of embodiments of the invention described herein. Regardless, cloud computing node 10 is capable of being implemented and/or performing any of the functionality set forth hereinabove.

In cloud computing node 10 there is a computer system/server 12, which is operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well-known computing systems, environments, and/or configurations that may be suitable for use with computer system/server 12 include, but are not limited to, personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputer systems, mainframe computer systems, and distributed cloud computing environments that include any of the above systems or devices, and the like.

Computer system/server 12 may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, and so on that perform particular tasks or implement particular abstract data types. Computer system/server 12 may be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory storage devices.

As shown in FIG. 8, computer system/server 12 in cloud computing node 10 is shown in the form of a general-purpose computing device. The components of computer system/server 12 may include, but are not limited to, one or more processors or processing units 16, a system memory 28, and a bus 18 that couples various system components including system memory 28 to processor 16.

Bus 18 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnects (PCI) bus.

Computer system/server 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computer system/server 12, and it includes both volatile and non-volatile media, removable and non-removable media.

System memory 28 can include computer system readable media in the form of volatile memory, such as random access memory (RAM) 30 and/or cache memory 32. Computer system/server 12 may further include other removable/non-removable, volatile/non-volatile computer system storage media. By way of example only, storage system 34 can be provided for reading from and writing to a non-removable, non-volatile magnetic media (not shown and typically called a “hard drive”). Although not shown, a magnetic disk drive for reading from and writing to a removable, non-volatile magnetic disk (e.g., a “floppy disk”), and an optical disk drive for reading from or writing to a removable, non-volatile optical disk such as a CD-ROM, DVD-ROM or other optical media can be provided. In such instances, each can be connected to bus 18 by one or more data media interfaces. As will be further depicted and described below, memory 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.

Program/utility 40, having a set (at least one) of program modules 42, may be stored in memory 28 by way of example, and not limitation, as well as an operating system, one or more application programs, other program modules, and program data. Each of the operating system, one or more application programs, other program modules, and program data or some combination thereof, may include an implementation of a networking environment. Program modules 42 generally carry out the functions and/or methodologies of embodiments of the invention as described herein.

Computer system/server 12 may also communicate with one or more external devices 14 such as a keyboard, a pointing device, a display 24, etc.; one or more devices that enable a user to interact with computer system/server 12; and/or any devices (e.g., network card, modem, etc.) that enable computer system/server 12 to communicate with one or more other computing devices. Such communication can occur via I/O interfaces 22. Still yet, computer system/server 12 can communicate with one or more networks such as a local area network (LAN), a general wide area network (WAN), and/or a public network (e.g., the Internet) via network adapter 20. As depicted, network adapter 20 communicates with the other components of computer system/server 12 via bus 18. It should be understood that although not shown, other hardware and/or software components could be used in conjunction with computer system/server 12. Examples, include, but are not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data archival storage systems, etc.

Referring now to FIG. 9, illustrative cloud computing environment 50 is depicted. As shown, cloud computing environment 50 comprises one or more cloud computing nodes 10 with which local computing devices used by cloud consumers, such as, for example, personal digital assistant (PDA) or cellular telephone 54A, desktop computer 54B, laptop computer 54C, and/or automobile computer system 54N may communicate. Nodes 10 may communicate with one another. They may be grouped (not shown) physically or virtually, in one or more networks, such as Private, Community, Public, or Hybrid clouds as described hereinabove, or a combination thereof. This allows cloud computing environment 50 to offer infrastructure, platforms and/or software as services for which a cloud consumer does not need to maintain resources on a local computing device. It is understood that the types of computing devices 54A-N shown in FIG. 9 are intended to be illustrative only and that computing nodes 10 and cloud computing environment 50 can communicate with any type of computerized device over any type of network and/or network addressable connection (e.g., using a web browser).

Referring now to FIG. 10, a set of functional abstraction layers provided by cloud computing environment 50 (FIG. 9) is shown. It should be understood in advance that the components, layers, and functions shown in FIG. 10 are intended to be illustrative only and embodiments of the invention are not limited thereto. As depicted, the following layers and corresponding functions are provided:

Hardware and software layer 60 includes hardware and software components. Examples of hardware components include mainframes, in one example IBM® zSeries® systems; RISC (Reduced Instruction Set Computer) architecture based servers, in one example IBM pSeries® systems; IBM xSeries® systems; IBM BladeCenter® systems; storage devices; networks and networking components. Examples of software components include network application server software, in one example IBM WebSphere® application server software; and database software, in one example IBM DB2® database software. (IBM, zSeries, pSeries, xSeries, BladeCenter, WebSphere, and DB2 are trademarks of International Business Machines Corporation registered in many jurisdictions worldwide)

Virtualization layer 62 provides an abstraction layer from which the following examples of virtual entities may be provided: virtual servers; virtual storage; virtual networks, including virtual private networks; virtual applications and operating systems; and virtual clients.

In one example, management layer 64 may provide the functions described below. Resource provisioning provides dynamic procurement of computing resources and other resources that are utilized to perform tasks within the cloud computing environment. The resource provisioning may be based on an analysis of the requested job/application and the cloud computing environment itself, as described above. Metering and Pricing provide cost tracking as resources are utilized within the cloud computing environment, and billing or invoicing for consumption of these resources. In one example, these resources may comprise application software licenses. Security provides identity verification for cloud consumers and tasks, as well as protection for data and other resources. User portal provides access to the cloud computing environment for consumers and system administrators. Service level management provides cloud computing resource allocation and management such that required service levels are met. Service Level Agreement (SLA) planning and fulfillment provide pre-arrangement for, and procurement of, cloud computing resources for which a future requirement is anticipated in accordance with an SLA.

Workloads layer 66 provides examples of functionality for which the cloud computing environment may be utilized. Examples of workloads and functions which may be provided from this layer include: mapping and navigation; software development and lifecycle management; virtual classroom education delivery; data analytics processing; transaction processing; and mobile desktop.

The descriptions of the various embodiments of the present disclosure have been presented for purposes of illustration, but are not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein was chosen to best explain the principles of the embodiments, the practical application or technical improvement over technologies found in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

In the following, reference is made to embodiments presented in this disclosure. However, the scope of the present disclosure is not limited to specific described embodiments. Instead, any combination of the following features and elements, whether related to different embodiments or not, is contemplated to implement and practice contemplated embodiments. Furthermore, although embodiments disclosed herein may achieve advantages over other possible solutions or over the prior art, whether or not a particular advantage is achieved by a given embodiment is not limiting of the scope of the present disclosure. Thus, the following aspects, features, embodiments and advantages are merely illustrative and are not considered elements or limitations of the appended claims except where explicitly recited in a claim(s). Likewise, reference to “the invention” shall not be construed as a generalization of any inventive subject matter disclosed herein and shall not be considered to be an element or limitation of the appended claims except where explicitly recited in a claim(s).

Aspects of the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.”

Embodiments of the present disclosure may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present disclosure.

The computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of the computer readable storage medium includes the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanically encoded device such as punch-cards or raised structures in a groove having instructions recorded thereon, and any suitable combination of the foregoing. A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire.

Computer readable program instructions described herein can be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network. The network may comprise copper transmission cables, optical transmission fibers, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. A network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device.

Computer readable program instructions for carrying out operations of the present disclosure may be assembler instructions, instruction-set-architecture (ISA) instructions, machine instructions, machine dependent instructions, microcode, firmware instructions, state-setting data, or either source code or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C++ or the like, and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider). In some embodiments, electronic circuitry including, for example, programmable logic circuitry, field-programmable gate arrays (FPGA), or programmable logic arrays (PLA) may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry, in order to perform aspects of the present disclosure.

Aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions.

These computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, a programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable storage medium having instructions stored therein comprises an article of manufacture including instructions which implement aspects of the function/act specified in the flowchart and/or block diagram block or blocks.

The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other device to cause a series of operational steps to be performed on the computer, other programmable apparatus or other device to produce a computer implemented process, such that the instructions which execute on the computer, other programmable apparatus, or other device implement the functions/acts specified in the flowchart and/or block diagram block or blocks.

The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts or carry out combinations of special purpose hardware and computer instructions.

While the foregoing is directed to embodiments of the present disclosure, other and further embodiments of the disclosure may be devised without departing from the basic scope thereof, and the scope thereof is determined by the claims that follow. 

What is claimed is:
 1. A computer-implemented method for auditing file access, the computer-implemented method comprising, by operation of one or more computer processors: monitoring a set of file access requests to a file from a first application and in order to obtain a set of call information based on runtime stack information related to calls of the first application requesting access to the file; storing the set of call information in a data file; receiving, from a second application, a request for access to the file; obtaining call information from a runtime stack from the second application, wherein the runtime stack is obtained by invoking a predefined call selected from a system object call and a microcode call; determining the request for access is an abnormal request, including determining, based on comparing the call information with the set of call information, that the second application has elevated privileges relative to the first application; and upon determining that the request for access is an abnormal request, automatically taking a predefined action, wherein the predefined action includes at least one of logging information related to the abnormal request and denying the request for access.
 2. The computer-implemented method of claim 1, wherein the runtime stack information further comprises at least one of system object calls, programs on the runtime stack, and program statement numbers of the calls.
 3. The computer-implemented method of claim 1, wherein the first application and second application are different applications.
 4. The computer-implemented method of claim 1, wherein the runtime stack information is obtained by invoking one or more system object calls into an operating system kernel.
 5. The computer-implemented method of claim 1, wherein the first application and second application are different applications, wherein the runtime stack information is obtained by invoking, in respective instances, each predefined call type selected from: (i) a system object call type into an operating system kernel and (ii) a microcode call type; wherein the runtime stack information further comprises: (i) system object calls; (ii) programs on the runtime stack; and (iii) program statement numbers of calling and called subroutines; (iv) names of calling and called subroutines; (v) an order in which applications are called; (vi) whether each called application invoked any elevated privileges; (vii) thread and job information pertaining to the first application; and (viii) a runtime context of the first application; wherein the comparing is based on at least the programs on the runtime stack and the program statement numbers of the calls; wherein the predefined action includes: (i) logging the information related to the abnormal request and (ii) denying the request for access.
 6. The computer-implemented method of claim 5, wherein the set of file access requests are monitored in order to obtain permission and identity information related to the monitored requests, wherein the computer-implemented method further comprises performing a first operation to set user privileges for a user of the first application, the first operation comprising: storing the permission and identity information in the data file; determining a set of user privileges available to the first application when the user causes execution of the first application; determining a set of elevated privileges available to the first application when the set of user privileges is insufficient; determining a set of needed privileges by the first application to access the file based on the stored data file; automatically selecting user privileges to assign to the user of the first application, based on the set of needed privileges and the set of user privileges; and assigning the automatically selected user privileges to the user of the first application; and generating an indication that the automatically selected user privileges are assigned to the user, whereafter the indication is output.
 7. The computer-implemented method of claim 6, wherein the first operation further comprises: upon determining that the set of elevated privileges is used to access the file, automatically removing at least one user privilege from the user; and upon determining (i) the set of elevated privileges is not used to access the file and (ii) the set of elevated privileges includes the set of needed privileges, automatically removing at least one user privilege from the user in order to cause the set of elevated privileges to be used when the file is subsequently accessed; wherein the determination that the set of elevated privileges is used is based on the runtime stack information, wherein user privileges to assign to the user are derived from, in respective instances, a user authority, a group authority, and an access control list.
 8. The computer-implemented method of claim 7, wherein the computer-implemented method further comprises performing a second operation to modify privileges of the user, the second operation comprising: determining whether the set of user privileges is sufficient to allow the first application to access the file for each file access request in the set of file access requests; determining, based on authentication environment information in the runtime stack information, whether the set of user privileges is different from the set of elevated privileges; storing, in the data file: (i) information related to the sets of user and elevated privileges and (ii) an indication of whether the set of elevated privileges is greater in scope than the set of user privileges; upon determining that the set of user privileges rather than the set of elevated privileges is used to access the file, automatically adjusting the user privileges of the user, including removing at least one user privilege from the user, whereafter the set of elevated privileges is used to access the file; and generating an indication that the user privileges for the user is automatically adjusted, whereafter the indication is output.
 9. The computer-implemented method of claim 8, wherein the predefined call comprises the microcode call, wherein automatically adjusting the user privileges of the user based on the determination comprises adjusting the user privileges of the user based on the determination and without having received any request specifying to adjust the user privileges of the user; wherein the determination that the set of user privileges rather than the set of elevated privileges is used to access the file is made based on, in respective instances: (i) the set of user privileges being used to access the file and (ii) the set of elevated privileges not being used to access the file.
 10. The computer-implemented method of claim 1, wherein the predefined action includes: (i) logging the information related to the abnormal request and (ii) denying the request for access.
 11. A system for auditing file access, the system comprising: one or more computer processors; a memory containing a program which, when executed by the one or more computer processors, performs an operation comprising: monitoring a set of file access requests to a file from a first application and in order to obtain a set of call information based on runtime stack information related to calls of the first application requesting access to the file; storing the set of call information in a data file; receiving, from a second application, a request for access to the file; obtaining call information from a runtime stack from the second application, wherein the runtime stack is obtained by invoking a predefined call selected from a system object call and a microcode call; determining the request for access is an abnormal request, including determining, based on comparing the call information with the set of call information, that the second application has elevated privileges relative to the first application; and upon determining that the request for access is an abnormal request, automatically taking a predefined action, wherein the predefined action includes at least one of logging information related to the abnormal request and denying the request for access.
 12. The system of claim 11, wherein the runtime stack information further comprises at least one of a system object calls, programs on the runtime stack, and program statement numbers of the calls.
 13. The system of claim 11, wherein the first application and second application are different applications.
 14. The system of claim 11, wherein the runtime stack information is obtained by invoking one or more system object calls into an operating system kernel.
 15. The system of claim 11, wherein the predefined action includes: (i) logging the information related to the abnormal request and (ii) denying the request for access.
 16. A computer program product for auditing file access, the computer program product comprising: a computer readable storage medium having computer-readable program code embodied therewith, the computer-readable program code executable by one or more computer processors to perform an operation comprising: monitoring a set of file access requests to a file from a first application and in order to obtain a set of call information based on runtime stack information related to calls of the first application requesting access to the file; storing the set of call information in a data file; receiving, from a second application, a request for access to the file; obtaining call information from a runtime stack from the second application, wherein the runtime stack is obtained by invoking a predefined call selected from a system object call and a microcode call; determining the request for access is an abnormal request, including determining, based on comparing the call information with the set of call information, that the second application has elevated privileges relative to the first application; and upon determining that the request for access is an abnormal request, automatically taking a predefined action, wherein the predefined action includes at least one of logging information related to the abnormal request and denying the request for access.
 17. The computer program product of claim 16, wherein the runtime stack information further comprises at least one of system object calls, programs on the runtime stack, and program statement numbers of the calls.
 18. The computer program product of claim 16, wherein the first application and second application are different applications.
 19. The computer program product of claim 16, wherein the runtime stack information is obtained by invoking one or more system object calls into an operating system kernel.
 20. The computer program product of claim 16, wherein the predefined action includes: (i) logging the information related to the abnormal request and (ii) denying the request for access. 